IBM Qradar History

Began as University Project by Sandy Bird at University of New Brunswick

Network flow monitoring, nothing to do with SIEM

Commercial product in 2001 in the NBAD space (QVision)

Changed focus & moved into the SIM space around 2004-2005

Changed name from QVision to QRadar

Original QFlow product now part of QRadar SIEM

OEM relationships with Juniper and Enterasys

Purchased by IBM in October, 2011

You cant correlate what you cant collect

Event Source Support
Vendor supplied
3rd party partners
Custom Connectors
Time to build
Wizard-based
Regular expression
generator
Retention Defaults
Correlated alerts
Username history
Flow data

Retention Limits
Correlated/Offense alerts
All other retention
settings (events, flows,
etc.)
Real-time Views
Log and network history
Correlation/Offense
activity

HP ArcSight

IBM Qradar

~350
~45 (CEF)

~180
~14 (LEEF/AXIS)

Hours/Days
Yes
Yes

Weeks/Months
No, XML development required
No, must develop from scratch

Unlimited
Unlimited
Unlimited

3 Days
1 Week
1 Week

Unlimited
Unlimited

2,500 before rolling off

2 years maximum

Unlimited
Unlimited

Last 7 days
1 month

You cant correlate what you cant trust

HP ArcSight

Data

Loss
Product restarts
Network outage
Event spikes
License limits exceeded
Windows collection

Encryption
Encrypted transport
Research-based Reputation
Research intelligence
Bandwidth Management
Caching
Batching
Filtering
Aggregation
Compression

Events
Events
Events
Access

IBM Qradar

queued, not dropped

queued, not dropped
queued, not dropped
limited, events not
dropped
Events queued, not dropped

Events dropped
Events dropped
Short buffer, then events
dropped
Events dropped
Syslog/udp transport,
unreliable, events will drop

Yes, by default

Not by default, 50% performance

hit when enabled

Yes, know malicious hosts and

domains intelligence

Limited to your own analysis

within your own company

Yes, unlimited size

Yes
Supported by all Connectors
Unlimited
Yes, by default

Limited buffer size

No
Only a few event sources
Very limited, no customization
Optional, not by default

You cant correlate what you dont understand

HP ArcSight

IBM Qradar

~500, full normalization

~70, partial normalization

Yes; Active Directory, Oracle

Identity Manager,
FlexConnector; full attribute
support

No, only userid analysis and

limited historical analysis

Yes

No, dashboards, incidents and

events in separate views with
limited integration

Workflow
Integrated workflow

Yes

No

Case Management
Integrated case management

Yes

No

Normalization
Normalized collection

Identity-based activity
tracking
Identity Management (IdM)
integration
Analysis
Speed of thought drilldown

You cant correlate what you cant correlate

Historical correlation
Correlate on past
activity
Identity correlation
Identity Management (IdM)
integration

State-based, session
correlation
Ability to remove entries
Ability to age out
entries
Multiple fields tracked
Ability to view entries
Anomalous pattern detection
Anomaly correlation

Rules to detect new threats

Behavioral, threshold,
anomaly correlation

HP ArcSight

IBM Qradar

Yes

No

Yes; Active Directory, Oracle

Identity Manager,
FlexConnector; full attribute
support

No, only userid analysis and

limited historical analysis

Yes, by rule or manually

Yes
Yes, unlimited
Yes

No
No
Single field only
No

Yes, with automatic rule

creation

No

Unlimited

Activity must have already

occurred in your environment
to create rules

Comment from customers

-

Any custom log source their framework for getting non-standard logs (not syslog based) will

require a lot of internal working and configuration. Anything that is syslog based will require a lot of
messing around.
-

Sophisticated correlation their correlation engine is relatively simple so anything that is more than
simple aggregation will be relatively difficult for them.

Anything that leverages lists (active or session) will be a massive win for ArcSight. They have lists,

but they cannot update or add / remove from a list. So building sophisticated use cases will be VERY
difficult and they will rely on very complex logic (and time sequencing will be tough for them).

IBM Qradar is simple to use so they cannot do sophisticated use cases

Sophisticated Use Cases

Here is one use cases from a real customer and Qradar wasn't able to solve it
during a POC:

(1) open a case if there are more than 10 failed logins for an account within a day
(2) if there is at least one successful login before reaching 10 failed logins, then reset the "failed login"
counter and start again counting from zero

IBM Qradar is simple to use so they cannot do sophisticated use cases

About Gartner & Vendor

Research

Gartner Magic Quadrant

Gartner SIEM MQ 2011 - 2013

HP ArcSight has moved UP and to the RIGHT

The MOST visionary product in the Gartner MQ

A LEADER for 10 consecutive years, while others have appeared and disappeared

Gartner recognizes HPs vision through ops-analytics, integrating SIEM and IT Ops

Analyst Leadership: Gartner and IDC

Gartner MQ: Leader 7 Years

IDC: Share Leader 4 Years

HP, 23.6%

Other, 42.2%

IBM, 13.0%

McAfee, 3.4%

EMC, 9.3%
NetlQ, 8.5%

Source: IDC (December 2010)

11

IDC 2013 report: HPs revenue is

more than that of next two
vendors combined in worldwide
SIEM market

Effectiveness Matters
SANS, CERT, NIST, OSVDB, software, and reputation vendors
Ecosystem
partner

~3,000+ independent researchers

~3000 researchers

2000+ customers sharing data

7000+ managed networks globally

DVLabs Research & QA

Actionable security intelligence

HP Security
2,000+ Research
customers participating

ESS

Thought leadership

Automatically integrated into HP products

HP finds more vulnerabilities than the rest

of the market combined

Top security vulnerability research

organization for the past three years

- Frost & Sullivan

Note: All figures are rounded. The base year is 2012. Source: Frost & Sullivan

Industry Leading Security Intelligence

Business Application Vulnerabilities
35
30
25
20
15
10
5
0
HP
TippingPoint

Secunia

US-CERT

Verisign
iDefense

High-Tech
Bridge

IBM ISS

VUPEN Security

Public Vulnerability Research Market: Business Application Vulnerabilities by Reporting Source, Global,
2012

Definition - Zero-Day Exploit

Proactive Protection
t1
Vulnerability
Is found

t2
Exploit-Code is
In-The-Wild

t3
Software Vendor
releases Patch

t4
Patch Rollout

Our Zero-day Coverage Compared to

Competition
300
250
200
2013
150

2012
2011

100

2010
2009

50

2008
2007

Compiled from publicly verifiable data at http://www.microsoft.com/technet/security/current.aspx

2006